feat(events): guest accounts for public event registration

Non-members who register for an event now get a persistent identity:
with consent, a status:"guest" Member is upserted and an auth cookie is
set so the "You're Registered" state survives a page refresh.

Tiered auto-login matches passwordless-auth norms — auto-login is only
safe when the account holds no privileges:
- New email → create guest + cookie
- Returning guest → cookie
- Existing non-guest (active/pending/etc.) → attach ticket only, no
  cookie, confirmation email includes a sign-in link

Guests are gated on status === "guest", so admin/middleware code that
keys on status === "active" naturally excludes them. Guests are also
treated as non-members for ticket pricing/validation to prevent picking
up member-only pricing on their second registration.

server/api/events/[id]/tickets/purchase.post.js

@@ -43,14 +43,16 @@ export default defineEventHandler(async (event) => {
       });
     }
 
-    // Check if user is a member
-    const member = await Member.findOne({ email: body.email.toLowerCase() });
+    // Check if user is a member. Guests don't count as members for pricing/validation.
+    let member = await Member.findOne({ email: body.email.toLowerCase() });
+    let accountCreated = false;
+    const isRealMember = (m) => !!m && m.status !== "guest";
 
     // Validate ticket purchase
     const validation = validateTicketPurchase(eventData, {
       email: body.email,
       name: body.name,
-      member,
+      member: isRealMember(member) ? member : null,
     });
 
     if (!validation.valid) {
@@ -86,15 +88,36 @@ export default defineEventHandler(async (event) => {
       // For now, we trust the transaction ID from HelcimPay.js
     }
 
+    // If no Member yet and the user consented, atomically create a guest Member.
+    // findOneAndUpdate with $setOnInsert handles concurrent registrations on the
+    // same email (email has a unique index).
+    if (!member && body.createAccount) {
+      member = await Member.findOneAndUpdate(
+        { email: body.email.toLowerCase() },
+        {
+          $setOnInsert: {
+            email: body.email.toLowerCase(),
+            name: body.name,
+            circle: "community",
+            contributionTier: "0",
+            status: "guest",
+          },
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      accountCreated = true;
+    }
+
     // Create registration
+    const realMember = isRealMember(member);
     const registration = {
       memberId: member ? member._id : null,
       name: body.name,
       email: body.email.toLowerCase(),
-      membershipLevel: member
+      membershipLevel: realMember
         ? `${member.circle}-${member.contributionTier}`
         : "non-member",
-      isMember: !!member,
+      isMember: realMember,
       ticketType: ticketInfo.ticketType,
       ticketPrice: ticketInfo.price,
       paymentStatus: requiresPayment ? "completed" : "not_required",
@@ -113,9 +136,20 @@ export default defineEventHandler(async (event) => {
     // legacy location data unrelated to this write.
     await eventData.save({ validateBeforeSave: false });
 
+    // Decide on auto-login: safe for new accounts and existing guests, not for
+    // real members (stranger could hijack by typing email into a public form).
+    let signedIn = false;
+    let requiresSignIn = false;
+    if (member && (accountCreated || member.status === "guest")) {
+      setAuthCookie(event, member);
+      signedIn = true;
+    } else if (member) {
+      requiresSignIn = true;
+    }
+
     // Send confirmation email
     try {
-      await sendEventRegistrationEmail(registration, eventData);
+      await sendEventRegistrationEmail(registration, eventData, { requiresSignIn });
     } catch (emailError) {
       console.error("Failed to send confirmation email:", emailError);
       // Don't fail the registration if email fails
@@ -131,6 +165,8 @@ export default defineEventHandler(async (event) => {
         ticketType: registration.ticketType,
         amountPaid: registration.amountPaid,
       },
+      accountCreated,
+      signedIn,
       payment: transactionId
         ? {
             transactionId: transactionId,

server/models/member.js

@@ -35,7 +35,7 @@ const memberSchema = new mongoose.Schema({
   },
   status: {
     type: String,
-    enum: ["pending_payment", "active", "suspended", "cancelled"],
+    enum: ["pending_payment", "active", "suspended", "cancelled", "guest"],
     default: "pending_payment",
   },
   helcimCustomerId: String,

server/utils/auth.js

@@ -2,6 +2,26 @@ import jwt from 'jsonwebtoken'
 import Member from '../models/member.js'
 import { connectDB } from './mongoose.js'
 
+/**
+ * Issue a session JWT and set the auth-token cookie for the given member.
+ * Mirrors the cookie options used by verify.post.js.
+ */
+export function setAuthCookie(event, member) {
+  const token = jwt.sign(
+    { memberId: member._id.toString(), email: member.email, tv: member.tokenVersion || 0 },
+    useRuntimeConfig(event).jwtSecret,
+    { expiresIn: '7d' }
+  )
+
+  setCookie(event, 'auth-token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 60 * 24 * 7
+  })
+}
+
 /**
  * Verify JWT from cookie and return the decoded member.
  * Throws 401 if token is missing or invalid.

server/utils/resend.js

@@ -4,8 +4,11 @@ const resend = new Resend(process.env.RESEND_API_KEY);
 
 /**
  * Send event registration confirmation email
+ * @param {Object} options - { requiresSignIn?: boolean } — when true, appends a
+ *   "sign in to view your ticket" paragraph for existing non-guest members who
+ *   registered via the public form and did not receive an auto-login cookie.
  */
-export async function sendEventRegistrationEmail(registration, eventData) {
+export async function sendEventRegistrationEmail(registration, eventData, options = {}) {
   const formatDate = (dateString) => {
     const date = new Date(dateString);
     return new Intl.DateTimeFormat("en-US", {
@@ -31,6 +34,9 @@ export async function sendEventRegistrationEmail(registration, eventData) {
 
   const baseUrl = process.env.BASE_URL || "https://ghostguild.org";
   const eventUrl = `${baseUrl}/events/${eventData.slug || eventData._id}`;
+  const signInSection = options.requiresSignIn
+    ? `\nSign in to view your ticket: ${baseUrl}/login\n`
+    : "";
 
   let ticketSection = "";
   if (
@@ -63,7 +69,7 @@ You're registered for ${eventData.title}.
 Date: ${formatDate(eventData.startDate)}
 Time: ${formatTime(eventData.startDate, eventData.endDate)}
 Location: ${eventData.location}
-${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}
+${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}${signInSection}
 View event: ${eventUrl}
 
 To cancel, visit the event page and click "Cancel Registration."`,

server/utils/schemas.js

@@ -95,7 +95,8 @@ export const helcimUpdateBillingSchema = z.object({
 export const ticketPurchaseSchema = z.object({
   name: z.string().min(1).max(200),
   email: z.string().trim().toLowerCase().email(),
-  transactionId: z.string().max(500).optional()
+  transactionId: z.string().max(500).optional(),
+  createAccount: z.boolean().optional().default(true)
 })
 
 export const ticketReserveSchema = z.object({